Shake Hooves With BeEF presented at OWASP AppSecAsiaPac 2012

by Christian "xntrik" Frichot,

Tags: Security

Summary : When was the last time you performed a penetration test and were able to successfully exploit a publicly accessible, vulnerable Apache instance? Or maybe the old-days where you could safely knock away for hours on an exposed FTP service until the username password combination clicked together. Like it or not, external perimeter controls have become so simple and ubiquitous these days you rarely come across trivial-to-exploit systems, in fact, when was the last time you came across a small-to-medium (or larger) enterprise that didnt use web-proxying services for their colleagues when browsing the net? Weve seen how attackers are actively exploiting the trust and the soft-gooey-juicy-ness of the internal network to perform various feats of exploitation (RSA anyone?), and this is where a nice slab of BeEF can really come in handy. A reasonable sized corporate is making 700,000 HTTP requests every work day. This attack surface needs to be tested.
The Browser Exploitation Framework is designed to assist the penetration tester in leveraging the power of the web-browser to scan internal networks, exploit other systems, proxy requests or basically anything else you can think of doing with javascript.
You are sure to walk away with a better understanding of how the BeEF framework fits in to your pen-testing toolkit along side your Metasploit and Burp.